Defence

​​​​​​​​​​​​​​​​​​​​​​​​​​​​The Cyber War​​​​​​​

When the US accused Russia of orchestrating a state-sponsored cyber attack, it was also accusing the country of breaking an unwritten rule of cyber espionage: don’t share what you find. Daniel Davies asks​​​​​​​ former FBI executive assistant directorShawn Henry whether we’ve reached a defining moment in cyber warfare

In 1890, the American naval strategist Alfred Thayer Mahan argued that by maintaining control of the seas a nation could establish “predominant influence in the world”. While his analysis appeared accurate at the time, within a few short decades the desire to dominate the seas had been replaced by a thirst to decimate from the skies, because it was accepted that whoever controlled the air controlled the world.

The battle for supremacy was never likely to stay airborne for long, so in the 21st Century controlling cyberspace may be where nations focus their efforts, as governments, not to mention criminal organisations, around the globe realise the capacity for disruption and damage cyberspace affords.

In the past 18 months we’ve seen alleged state-sponsored cyber attacks perpetrated or attempted against the US presidential elections, the French presidential elections and the UK parliament, but as the president of cybersecurity firm CrowdStrike and the former executive assistant director of the FBI, Shawn Henry, who spent 24 years running the bureau’s criminal and cyber investigations globally, points out, the recent high-profile cyber attacks are just the latest examples of hacking belonging to a much longer timeline.

“I knew back in the mid 90s that it was a big issue and it was going to grow,” says Henry. “We'd seen certain types of criminal activity migrate to the network – child exploitation was one – but I really saw, and colleagues that I worked with [saw], this existential threat because of the ability of adversaries to target information.”

“The targeting of the network as a specific attack vector was something that I really thought was going to be increasing as the years went on and certainly that's been the case,” he adds.

Cyber warfare's defining moment

It’s fair to say that Russia is today the most high-profile user of hacking as a destabilising tool. But Russia wasn’t the first nation to demonstrate its state-sponsored hacking prowess; that accolade goes to the Americans and Israelis who pioneered the technique back in 2009 when the Stuxnet program infiltrated Iranian computer systems and wrecked thousands of uranium-enriching centrifuges.

Before that nations who hacked and collected data on each other tended to limit their remit to cloak-and-dagger espionage operations, but according to Henry the all-but-confirmed accusation that Russia hacked the Democratic National Convention (DNC) in 2016 represents a “defining moment” in the history of nations using hacking as a weapon.

“Nations have to define what's acceptable and what's not, and if you cross the red line, there can't be grey area.”

“People can see that the theft of information for espionage is acceptable if it's about finding out what a future leader is going to do, what their national security strategies are and what their economic strategies are. That's fair game from an espionage perspective,” says Henry.

“If that information is used to have some impact in terms of affecting the election it changes the dynamic, and the US state department ... have to have that discussion with the Russian Government to find what's acceptable and what's not, and this is a defining moment in that space.

“You get to the point where nations are taking aggressive actions against other nations, where they're taking information they've collected and turning it into some type of an operation that changes the dynamic, and we have to decide what the norms are.

“In the physical world, if nations are taking actions against other nations that's typically not accepted. We see sanctions occur all the time because of actions nations have taken against other nations, physical actions. In cyber and information security I think it's very similar that nations have to define what's acceptable and what's not, and if you cross the red line, there can't be grey area. There has to be clear red lines; nations know what the response is going to be, and only then can we really come up with clear norms.”

Is cyber terrorism the new terrorism?

Looking beyond state-sponsored attacks, following the WannaCry ransomware attack that crippled the NHS, UK Labour leader Jeremy Corbyn branded the perpetrators “21st Century highway robbers”. While that’s not a bad way to describe the attackers, it does in some way undervalue the damage that these black-hat hackers can do.

So as the work of cyber criminals spills out from the network to have real-world consequences, like in the case of the NHS attack, should we, rather than describing hackers as 21st Century highway robbers, consider their acts as no different to terrorists who work solely in the physical world?

“I think that what we’re seeing is not a displacement of physical [terrorism] in support of cyber, but the merging of the two. Where we see attacks on critical infrastructure where information security, or lack of information security, is enabling physical implications of digital attacks, where you see destructions of networks like we saw in Sony or Saudi Aramco, then that's [an example of] merging and there's a blurred line there,” says Henry.

“That should be a cause for concern because when you see that merging it's not just the loss of data but it's the physical destruction of property and potentially life. That's a big issue.

“What we’re seeing is not a displacement of physical terrorism in support of cyber, but the merging of the two.”

“It's a weapon. This is an attack vector. If you think about who the adversaries are: organised crime groups, nation states, terrorists, it's just another tool in their arsenal. Terrorists interested in attacking critical infrastructure: transportation, electricity, water and sewer [systems], they might use kinetic attacks, they might use IEDs [improvised explosive devices], but they might also attack the computers that run those systems. The impact is the same,” he continues.

“In some cases it may be greater, it may be safer and more cost-effective to do it digitally and electronically, and as they recognise that they're going to migrate to that attack vector; but it all comes down to who the adversaries are, that's why attribution is so important because then you can better detect and deter the adversaries. Attribution is critical because the attack vector is going to constantly change, but the adversaries are not.”

Good hackers versus bad hackers

Hacking may be a tool used by terrorist groups, but it isn’t a weapon that is used exclusively by them and other criminals. Consider the case of Edward Snowden who, in revealing thousands of classified NSA documents to journalists, was simultaneously called a hero, a whistleblower, a dissident, a patriot, a traitor and a terrorist. Depending on the circumstances, a hacker can be good, bad or both, and sometimes it may be in the public’s best interest to have information leaked.

“I think that citizens have the right to privacy and that citizens have an obligation where they see abuses by a government to call it out. I absolutely believe that, and I've said many times that the media plays an important role in identifying abuses and bringing abuses to the public [arena]. I think that that's critically important,” says Henry.

“Governments have a fundamental right to protect their citizens and they need to do it in a way that doesn't impinge or impose upon their civil liberties, and that's a delicate balance.”

“I don't put Snowden in that category; I think that if Snowden saw things that he thought were abuses that there were avenues for him to pursue lawfully and legally to call them out, and I think that he had a right to do that if he saw something that was an abuse. Without going into all the details, I don't think that's what happened in Snowden's case. I don't think that that's the case, and I think that the media has somewhat twisted or misinterpreted some of that based on what I know.

“I've been on both sides of this equation for a long time, but that said, I think that governments have a fundamental right to protect their citizens and they need to do it in a way that doesn't impinge or impose upon their civil liberties, and that's a delicate balance. Using the terrorism example, governments have a right to protect their citizens that allows them to be safe, but the citizens have to define where the balance is. If every time you try to get on the tube you have a police officer who wants to physically search you the citizens might say 'I'm not going to abide by that; I don't think the risk of terrorism is that high that I'm going to have a physical strip search every time I get on the tube'.

“There might be other occasions where citizens understand and maybe when I go to the airport it's acceptable because the risk is so high. That's a balance and I think the citizens have to weigh in and I think that citizens ultimately will weigh in.”

Cyber attacks: an unwinnable war?

Regardless of the safeguards that Henry believes are in place to protect against Snowden-style patriotism, the battle between cybersecurity teams and cyber criminals can’t be reduced to a battle of good versus evil, but normally we would want governments to collect and retain reasonable intelligence to keep citizens safe. Given the vulnerabilities that were exposed in the DNC hack, though, can we trust governments to protect their data, or are cybersecurity experts like Henry and CrowdStrike fighting an unwinnable war?

“We're never going to win. Winning to me would be stopping it, all out stopping it. We're not going to end cyber attacks, we're going to manage them, and we manage them by detecting them and mitigating the consequences of the attack, so we manage the impact. When I was in the FBI my agents would go out every single day, dozens of times a week and tell companies that they'd been breached because the companies didn't know, and after they did an analysis those companies would find out that the adversaries were in their network for months or years, undetected,” says Henry.

“We're not going to end cyber attacks, we're going to manage them.”​​​​​​​

“If you can detect them immediately, and within hours or even days disrupt the attack, you can mitigate the consequences. That's managing the attack, but I don't think that we're going to end the attacks anytime soon.

“That philosophy in the physical world has been in place for hundreds of years, about detection and prevention and adversary attribution. It's the primary, fundamental tenant of law enforcement. How do you stop people from robbing banks? You identify who they are, and you mitigate them by arresting them and putting them in jail. If you can stop them in advance of them robbing banks then that's being proactive. It's the same in any other type of law enforcement action; it's the same in terrorism, countering terrorism is about using intelligence and being proactive. If what we did in information security was purely reactionary, more and more companies would be breached. There's been a change and a shift in that focus in information security.”

If anyone can, the US can

If any nation can afford to throw cash at online defence then it’s surely the US, who, according to the Stockholm International Peace Research Institute, spent $611bn on its military and defence in 2016, which is more than the next eight highest spending countries combined. But does the US Government have the talent at its disposal to make an impact in this area, or are talented hackers and cybersecurity experts being lost to the private sector, as Henry was?

“The government has capabilities because they have resources, and there are good people that work in government, but there are a lot of good people in the private sector and I've seen a lot of people leave government and move into the commercial space as the demand [for their talents] has increased because they [the private sector] can afford to pay.”

“I've seen a lot of people leave government and move into the commercial space as the demand has increased.”

But whatever it does, the US needs to move fast, especially with worries that Russia has already crossed a line that it cannot – or will not – retreat from. Henry, for one, is calling for a philosophical change in tactics if the US is to defend itself against online attacks.

“The reason I left the government and came to CrowdStrike was because I recognised the real risk in information security, I recognised what adversaries’ capabilities were and how they were evolving, and I wanted to use the methodology that I'd used in the government for years and I wanted to apply it to the network, using intelligence to peer around the corner and see what's coming and disrupt the adversaries before they have the opportunity to destroy a network.

"That is game-changing in information security. It's moving from reactive defence in-depth to proactive disruption. That's game-changing, and that's where companies need to move, that's where governments need to move and it's a philosophical change.”